* [PATCH] EVM: fix the evm= __setup handler return value
@ 2022-02-22 21:45 Randy Dunlap
2022-02-23 1:51 ` [EXTERNAL] " Mimi Zohar
0 siblings, 1 reply; 2+ messages in thread
From: Randy Dunlap @ 2022-02-22 21:45 UTC (permalink / raw)
To: linux-security-module
Cc: Randy Dunlap, Igor Zhbanov, Mimi Zohar, linux-integrity,
James Morris, Serge E. Hallyn
__setup() handlers should return 1 if the parameter is handled.
Returning 0 causes the entire string to be added to init's
environment strings (limited to 32 strings), unnecessarily polluting it.
Using the documented string "evm=fix" causes an Unknown parameter message:
Unknown kernel command line parameters
"BOOT_IMAGE=/boot/bzImage-517rc5 evm=fix", will be passed to user space.
and that string is added to init's environment string space:
Run /sbin/init as init process
with arguments:
/sbin/init
with environment:
HOME=/
TERM=linux
BOOT_IMAGE=/boot/bzImage-517rc5
evm=fix
With this change, using "evm=fix" acts as expected and an invalid
option ("evm=evm") causes a warning to be printed:
evm: invalid "evm" mode
but init's environment is not polluted with this string, as expected.
Fixes: 7102ebcd65c1 ("evm: permit only valid security.evm xattrs to be updated")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Cc: Mimi Zohar <zohar@us.ibm.com>
Cc: linux-integrity@vger.kernel.org
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
---
security/integrity/evm/evm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- lnx-517-rc5.orig/security/integrity/evm/evm_main.c
+++ lnx-517-rc5/security/integrity/evm/evm_main.c
@@ -86,7 +86,7 @@ static int __init evm_set_fixmode(char *
else
pr_err("invalid \"%s\" mode", str);
- return 0;
+ return 1;
}
__setup("evm=", evm_set_fixmode);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [EXTERNAL] [PATCH] EVM: fix the evm= __setup handler return value
2022-02-22 21:45 [PATCH] EVM: fix the evm= __setup handler return value Randy Dunlap
@ 2022-02-23 1:51 ` Mimi Zohar
0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2022-02-23 1:51 UTC (permalink / raw)
To: Randy Dunlap, linux-security-module
Cc: Igor Zhbanov, linux-integrity, James Morris, Serge E. Hallyn
On Tue, 2022-02-22 at 13:45 -0800, Randy Dunlap wrote:
> __setup() handlers should return 1 if the parameter is handled.
> Returning 0 causes the entire string to be added to init's
> environment strings (limited to 32 strings), unnecessarily polluting it.
>
> Using the documented string "evm=fix" causes an Unknown parameter message:
> Unknown kernel command line parameters
> "BOOT_IMAGE=/boot/bzImage-517rc5 evm=fix", will be passed to user space.
>
> and that string is added to init's environment string space:
> Run /sbin/init as init process
> with arguments:
> /sbin/init
> with environment:
> HOME=/
> TERM=linux
> BOOT_IMAGE=/boot/bzImage-517rc5
> evm=fix
>
> With this change, using "evm=fix" acts as expected and an invalid
> option ("evm=evm") causes a warning to be printed:
> evm: invalid "evm" mode
> but init's environment is not polluted with this string, as expected.
>
> Fixes: 7102ebcd65c1 ("evm: permit only valid security.evm xattrs to be updated")
> Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
> Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
> Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Thanks, Randy, Igor.
The patch is queued in #next-integrity-testing.
Mimi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-23 1:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-22 21:45 [PATCH] EVM: fix the evm= __setup handler return value Randy Dunlap
2022-02-23 1:51 ` [EXTERNAL] " Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).